VShell Vulnerability
Created 2/23/01
CVE 2001-0155
CVE 2001-0156
Impact
A remote attacker could execute arbitrary commands on the
server with the privileges of the VShell server.
Background
VShell
is a secure shell server for Windows NT and Windows 2000.
It uses the SSH2 protocol and allows
system administration tasks to be performed remotely
and securely from any standard SSH2 client.
It also supports port forwarding, so that other services
can be used securely through an encrypted tunnel.
The Problem
CVE 2001-0155
VShell contains a buffer overflow condition in the code which processes
user names. This condition could be exploited remotely to
execute arbitrary commands with the same privileges as
the VShell service.
CVE 2001-0156
A second problem is that there is a default port forwarding
rule of 0.0.0.0/0.0.0.0 to any port, which
could allow any user with an account on the server to access
any port on any host which is accessible from the server
running VShell. If the server is a gateway to a protected
network, this could provide a means of bypassing the
protection, thus exposing the internal network.
VShell 1.0 and 1.0.1 are affected by these vulnerabilities.
Resolution
Upgrade
to VShell version 1.0.2 or higher.
It is also a good idea to restrict access to the VShell
server so that it can only be used from authorized client
hosts. This is done by the following steps:
- From the control panel, double click on the VShell icon
- Select Connection Filters from the left hand side
- Delete the default rule of action Allow Source 0.0.0.0/0.0.0.0
- Add the new filters which specify which hosts are allowed to
connect to the SSH gateway
The default port forwarding problem can be fixed using
these steps:
- From the control panel, double click on the VShell icon
- Select Port-Forward Filters from the left hand side
- Delete the default rule of action Allow Target 0.0.0.0/0.0.0.0
- If port forwarding is required, add the new filters which specify which hosts can be forwarded to
Where can I read more about this?
This vulnerability was reported in an
@stake
security advisory.